[liberationtech] nweb + Tor
Jonathan Wilkes
jancsika at yahoo.com
Tue Jan 21 11:31:12 PST 2014
On 01/20/2014 09:32 PM, Jorge SoydelBierzo wrote:
> I've tested this several years ago, may be the get needs to be bigger
> for a buffer overflow (over 1012 bytes, no matters if you use A, U or
> 5 ;-D)
Where would the buffer overflow originate? Is it in one of the c
libraries, or the code for nweb? If you're saying it's in the code for
nweb I don't see where it would happen. It either reads the request
using a fixed buffer size or it doesn't parse it.
The reason I started fooling with nweb is because I actually have a
fighting chance of understanding what these 200 lines of code do. And it
could be shaved down even more to have the server do even less with the
arbitrary strings that the internet is shooting at it.
It seems like having the bare minimum moving parts is a better approach
than starting with a server that does too much and turning off the parts
I don't want. But I admit that's just a gut feeling which is why I
posted on here. :)
-Jonathan
>
> When buffer overflow works, you can get a core dump file.
>
> With ESP and EIP values in core dump, and patternOffset tool from
> Metasploit, you can calculate word alignment, EIP offset, etc.
>
> With ESP value, buffer size, ESP offset and generated shellcode, using
> http-esploit.pl <http://http-esploit.pl> can make a payload to sent to
> nweb.
>
> Nweb is a PoC, hope nobody uses it in the wild.
>
> El martes, 21 de enero de 2014, Andrés Leopoldo Pacheco Sanfuentes
> <alps6085 at gmail.com <javascript:_e({}, 'cvml',
> 'alps6085 at gmail.com');>> escribió:
>
> On Mon, Jan 20, 2014 at 7:06 PM, Jonathan Wilkes
> <jancsika at yahoo.com> wrote:
> > GET
> >
> /AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> > AAAAAAAAA
> >
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> > HTTP/1.0
>
>
> would it work the same if one replace the "A" for "U," for example? :D
>
> Best Regards | Cordiales Saludos | Grato,
>
> Andrés L. Pacheco Sanfuentes
> <alps at acm.org>
> +1 (817) 271-9619
> --
> Liberationtech is public & archives are searchable on Google.
> Violations of list guidelines will get you moderated:
> https://mailman.stanford.edu/mailman/listinfo/liberationtech.
> Unsubscribe, change to digest, or change password by emailing
> moderator at companys at stanford.edu.
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20140121/47a65b69/attachment.html>
More information about the liberationtech
mailing list